First, I have an application use Twitter authentication.
and when user log in success, i send [oauth_token, oauth_token_secret, user_id] to my Api.
And the next i obtain user info by “https://api.twitter.com/1.1/users/show.json?user_id=****” to store data to my Db.
Now i have a trouble. If some one send to my Api with oauth_token, oauth_token_secret of them, and id of another user. Nothing differences, my Api failure in security.
And i also use Facebook, Google,… I just send to access_token to my api, and users have no way to attack.
I would like to ask a question: Is my way wrong? Or Twitter is not separate Users Api, one for get by Id, one for get by token.
Thank everyone. My English not good. Sorry about that.